Re: [exim] tls_certificate weirdness

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Jon Gerdes
Date:  
À: exim-users@exim.org
Sujet: Re: [exim] tls_certificate weirdness
On Mon, 2016-08-22 at 12:03 +0100, Mike Brudenell wrote:
> Hi, Phil -
>

----------8<------------
> I'm not familiar with Centos but remember going crackers once on some
> flavour of Linux with trying to access a file that looked as though
> it
> should be accessible but I was being denied. Turned out to be some
> sort of
> security in Linux and I needed to to add the path to a file
> somewhere. I
> can't remember what the security system was called so can't search
> for it
> for you.


SELinux on Centos or AppArmor on Ubuntu.  Both can provide interesting
challenges for the unwary 8)

I went for a bit of a bodge on my LE test system, crontab contains this
beauty:

## Lets Encrypt ACME.SH - https://github.com/Neilpang/ 
0 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" >
/dev/null && cat /etc/le/server.crt /etc/le/ca.crt >
/etc/le/chained.crt && /sbin/reload dovecot && /usr/bin/service exim4
reload

I also have Icinga watching the certificate expiry date and making
connectivity tests to both Exim and Dovecot.  The standard monitoring
plugins do this out of the box. eg:

/usr/lib64/nagios/plugins/check_smtp -H $HOSTADDRESS" --timeout=$ARG1$
--port=$ARG2$ --starttls --certificate=$ARG3$


Cheers
Jon